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Status of Claims 

1 . This action is in reply to the application filed on September 21 , 2005. Preliminary amendments to 
the claims were received on September 21, 2005. Claim 11 was cancelled. Claims 1-10 and 12- 
25 are currently pending and have been examined. Application claims priority to International 
Application (number PCT/EP 2004/003004) filed on March 25, 2003. The application is accepted 
as a national stage application under 35 USC 371 and 37 CFR 1.495. 

Information Disclosure Statement 

2. The Information Disclosure Statement filed on December 23, 2008 has been considered. An 
initialed copy of Form 1449 is enclosed herewith. 

Drawings 

3. Original drawings 1-4 were received on September 21 , 2005. Drawings 1-4 are accepted. 

Specification 

4. The disclosure is objected to because it contains an embedded hyperlink and/or other form of 
browser-executable code on page 1, line 6. Applicant is required to delete the embedded 
hyperlink and/or other form of browser-executable code. See MPEP §608.01 . Examiner suggests 
replacing the hyperlink with a uniform resource locator enclosed in angle brackets 
("<java.sun.com/products/javacard>"). 
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Claim Rejections - 35 USC §112 

5. The following is a quotation of the second paragraph of 35 U.S.C. 1 12: 

The specification shall conclude with one or more claims particularly pointing out and distinctly 
claiming the subject matter which the applicant regards as his invention. 

6. Claims 9 (lines 2 and 3), 20 (lines 1 and 2), and 25 (line 2) contain the trademark/trade names 
Java Card™. Where a trademark or trade name is used in a claim as a limitation to identify or 
describe a particular material or product, the claim does not comply with the requirements of 35 
U.S.C. 112, second paragraph. See Ex parte Simpson, 218 USPQ 1020 (Bd. App. 1982). The 
claim scope is uncertain since the trademark or trade name cannot be used properly to identify 
any particular material or product. A trademark or trade name is used to identify a source of 
goods, and not the goods themselves. Thus, a trademark or trade name does not identify or 
describe the goods associated with the trademark or trade name. In the present case, the 
trademark/trade name is used to identify/describe a type of portable data carrier and, accordingly, 
the identification/description is indefinite. 

Claim Rejections - 35 USC §101 

7. 35 U.S.C. §101 reads as follows: 

Whoever invents or discovers any new and useful process, machine, manufacture, or composition of 
matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the 
conditions and requirements of this title. 

8. Claims 21-25 are rejected under 35 U.S.C. §101 because the claimed invention is directed to 
non-statutory subject matter. 

9. Claim 21 is drawn to "a computer program product having program instructions for causing a 
processor of a portable data carrier to perform a method". Tangibly embodied instructions for a 
computer do constitute patentable subject matter. However, applicant states in paragraph 0018 
liens 6-7 that, in their conception, a computer-readable medium may include a "non-physical 
medium" such as "a signal transmitted via a computer network." Such a signal is not statutory 
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subject matter. See, e.g., In re Nuitjen, Docket no. 2006-1371 (Fed. Cir. Sept. 20, 2007)(slip. op. 
at 18)("A transitory, propagating signal like Nuitjen's is not a process, machine, manufacture, or 
composition of matter.' ... Thus, such a signal cannot be patentable subject matter."). Examiner 
suggests drawing these claims to a tangible computer program product as described in 
paragraph 0018. 

10. Claims 22-25 are rejected as depending from a rejected claim. These claims do not limit the 
scope of the parent claim to restrict the "computer program product" to patentable subject matter. 



Claim Rejections - 35 USC §103 



11. The following is a quotation of 35 U.S.C. §103(a) which forms the basis for all obviousness 
rejections set forth in this Office action: 



(a) A patent may not be obtained though the invention is not identically disclosed or described as set 
forth in section 102 of this title, if the differences between the subject matter sought to be patented and 
the prior art are such that the subject matter as a whole would have been obvious at the time the 
invention was made to a person having ordinary skill in the art to which said subject matter pertains. 
Patentability shall not be negatived by the manner in which the invention was made. 

12. Claims 1-10, and 12-25 are rejected under 35 U.S.C. §103(a) as being unpatentable as obvious 

overOsen (EP 1,271,317 A1), in view of Starovic et al. (US 6,625,751 B1). 



Claim 1 

Osen teaches a method for the controlled execution of a program ("jobs"), the program being 
intended for a job on a portable data carrier ("System-on-Chip") (see at least page 2 right column, 
paragraph 10). Osen further teaches that the method comprises: 

• the data carrier has a processor which executes at least a first and a second job (see at 
least page 2 right column, lines 30-33, particularly: "a System-on-Chip comprising an 
operating system designed to execute jobs in a sequential manner"). 

• the program is executed both by the first and by the second job (see at least page 2 right 
column, lines 34-36, particularly: "means to repeat jobs at least twice"). 
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• an operating state of the first job and an operating state of the second job are checked 
during execution of the program for correspondence, (see at least page 2 right column, 
lines 35-36, particularly: "comparison means to validate the results from repeated jobs by 
checking the output data for equivalency"). 

• execution of the program is aborted if a difference is found between the operating state of 
the first job and the operating state of the second job (see at least page 2 right column, 
lines 38-40, particularly: "means to launch of an exception handler in case of 
unsuccessful comparison"). 

Osen teaches the program is intended for execution by a smart card ("System-on-Chip", see at 
least page 2 column 2 paragraph 10). Osen further teaches that the jobs run in an "operating 
system" (see at least page 2 left column lines 34-36). Osen does not explicitly teach that the jobs 
are executed in separate virtual machines. However, Starovic teaches virtual machines (see at 
least column 5, lines 64-65: "a Java VM"). Starovic further teaches separate virtual machines for 
the repeated execution of the same program (see at least figure 4, "primary VM replica" and 
"secondary VM replica"). It would have been obvious to one of ordinary skill in the art to combine 
the smart card operating system of Osen with the virtual machines of Starovic because a smart 
card operating system is suitable for a virtual machine which "forms a general information and 
execution engine for application code" (see at least Starovic, column 6, lines 2-7). 

Claim 10 

Claim 10 is directed to a system implementing the method of claim 1. Osen teaches a portable 
data carrier (page 2 paragraph 5 "System-on-Chip") having a processor (page 2 paragraph 5 
"microprocessor") and an operating system (page 2 paragraph 3 "Operating System"). Osen 
further teaches the limitations of claim 1, as shown above. 
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Claim 21 

Claim 21 is directed to a computer program product implementing the method of claim 1. Osen 
teaches a computer program product having program instructions for causing the method of claim 
1 (see at least page 2, paragraph 3, particularly: "Operating System"). Osen further teaches the 
limitations of claim 1 , as shown supra. 

Claims 2 and 13 

Claim 2 includes all of the limitations of claim 1. Claim 13 includes all of the limitations of claim 
10. Starovic also teaches comparing the operating states of two virtual machines sequentially 
running the same program. Starovic further teaches that the state of a program counter of the 
first virtual machine is the same as the state of a program counter of the second virtual machine 
(see at least column 13, lines 50-60, particularly: "the heartbeat messages can contain ... state 
(or signature of state) information ... Such state information can include ... a state of each 
thread"). A state of each thread is a program counter because it includes the address of the next 
instruction to be processed (see at least column 13, line 62: "making progress"). It would have 
been obvious to one of ordinary skill in the art at the time of the invention to combine the 
comparing step of Osen to include the comparing of the program counter of Starovic because it 
would assist in "faster and more accurate failure detection" (see at least Starovic column 13 lines 
53-54) thus allowing the system to "reliably detect failures" and "take corrective action before 
harm is made" (Osen page 2 column 2 paragraph 9). 

Claims 3 and 14 

Claim 3 includes all of the limitations of claim 1. Claim 14 includes all of the limitations of claim 
10. Osen further teaches that state information such as the level of the stack pointer is examined 
for a single job (see at least page 3, column 4, lines 39-41, particularly: "Verifying that the stack 
pointer is in a range of legal values.") Osen does not teach that the level of the stack pointer is 
compared between the two jobs . However, Starovic teaches comparing the operating states of 
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two virtual machines sequentially running the same program, including state information (see at 
least column 13, lines 50-53). It would have been obvious to one of ordinary skill in the art at the 
time of the invention to combine the state information including stack pointer of Osen with the 
comparing of state information of Starovic because it would assist in "faster and more accurate 
failure detection" (see at least Starovic column 13 lines 53-54) thus allowing the system to 
"reliably detect failures" and "take corrective action before harm is made" (Osen page 2 column 2 
paragraph 9). 

Claims 4 and 15 

Claim 4 includes all of the limitations of claim 1. Claim 15 includes all of the limitations of claim 
10. Osen further teaches that state information such as a value of the most recent element in a 
stack associated with the first job is the same as a value of the most recent element in a stack 
associated with the second job (see at least page 2, column 2, lines 36-38, particularly: "checking 
the output data for equivalency"). It would have been obvious to one of ordinary skill in the art at 
the time of the invention that output data are a stack because the output data is information 
stored sequentially in a memory. 

Claims 5 and 16 

Claim 5 includes all of the limitations of claim 1. Claim 16 includes all of the limitations of claim 
10. Osen teaches that checking of the operating state is in each case performed after an 
instruction of the program has been executed both by the first and by the second job (see at least 
page 3, column 4, paragraph 0024 "When a job has been executed twice , the comparing of the 
results may either validate or invalidate the result.") As shown above for claim 1, Starovic 
teaches that the job can be a virtual machine. 
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Claims 6 and 17 

Claim 6 includes all of the limitations of claim 1. Claim 17 includes all of the limitations of claim 
10. Osen teaches the first and the second job access a common heap ('list") in a non-volatile 
memory of the data carrier (see at least page 3, column 3, lines 20-37, particularly: "For memory 
consumption reasons the second job does not save the physical addresses in a list, but only uses 
said addresses to compute the CRC-32.") Because the first and second job both use the data 
stored in memory for comparison, they both access a common heap. As shown above for claim 
1 , Starovic teaches that the job can be a virtual machine. 

Claims 7, 18, and 23 

Claim 7 includes all of the limitations of claim 6. Claim 18 includes all of the limitations of claim 
17. Claim 23 includes all of the limitations of claim 22. Osen teaches that a write operation to the 
common heap is preferably executed only by the first virtual machine ("job") (see at least page 3, 
column 3, lines 20-37, particularly: "For memory consumption reasons the second job does not 
save the physical addresses in a list, but only uses said addresses to compute the CRC-32.") 
Because the first and second virtual machine both use the data stored in memory for comparison, 
they both access a common heap.") However, Osen does not explicitly teach that a write 
operation is only performed by the first virtual machine. Starovic teaches that certain types of 
actions ("non-deterministic choices") are only performed by the first virtual machine (see at least 
column 8, lines 58-61, particularly: "In passive replication there is a distinguished or primary 
replica and the other replicas are backups or secondaries. The primary resolves the non- 
deterministic choices and informs the backups about its decisions.") Starovic further teaches that 
these actions taken only by the first virtual machine include a write operation (see at least column 
9, lines 17-20, particularly: "write to the environment"). It would have been obvious to one of 
ordinary skill in the art at the time of the invention to combine the writing to the common heap of 
Osen with the restriction that all writing is performed by the first virtual machine of Starovic 
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because it would "maintain both internal and external consistency of the VM replicas" (Starovic, 
column 9, lines 20-23). 



Claims 8, 19, and 24 

Claim 8 includes all of the limitations of claim 7. Claim 19 includes all of the limitations of claim 
18. Claim 24 includes all of the limitations of claim 23. Osen teaches that instead of performing 
the write operation, the second virtual machine ("job") checks whether a value that is to be written 
is present in the heap at the location that is to be written to (see at least page 3, column 3, lines 
20-35, particularly: "To check the correctness of the list created in the first job it is sufficient to 
check that the CRC-32 resulting from both jobs are identical. ") Osen does not explicitly teach 
that the instruction of the program is executed first by the first virtual machine and then by the 
second virtual machine. However, Starovic teaches sequential execution of the first ("primary") 
virtual machine and then the second ("replica" or "backup") virtual machine (see at least column 
8, lines 62-63: "The state of the backups can be more or less tightly synchronized with the state 
of the primary, but the backups are always behind the primary.") It would have been obvious to 
one of ordinary skill in the art at the time of the invention to combine the first and second virtual 
machine as disclosed by Osen with the sequential execution of the first and second virtual 
machines as disclosed by Starovic because it would allow the first virtual machine to compute a 
result and store it, and the second virtual machine to subsequently check whether the stored 
value is correct. 

Claims 9, 20, and 25 

Claim 9 includes all of the limitations of claim 1. Claim 20 includes all of the limitations of claim 
10. Claim 25 includes all of the limitations of claim 21 . Osen teaches the program is intended for 
execution by a smart card ("System-on-Chip", see at least page 2 column 2 paragraph 10). Osen 
does not teach a Java Card Applet running on a Java Virtual Machine. Starovic teaches a Java 
Virtual Machine (see at least column 5, lines 64-65: "a Java VM"). Starovic further teaches an 
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application running on a Java Virtual Machine (see at least column 5, lines 62-67, particularly: 
" application code in a VM such as, for example, a Java VM"). A Java application is an applet. It 
would have been obvious to one of ordinary skill in the art to combine the system on a chip of 
Osen with the Java Virtual Machine and Java applet of Starovic because it is an exemplary type 
of smart card technology which "forms a general information and execution engine for application 
code" (see at least Starovic, column 6, lines 2-7). 

Claim 12 

Claim 12 includes all of the limitations of claim 10. Osen further teaches that the portable data 
carrier is a chip module (see at least page 2 paragraph 2: "By ' System-on-Chip' , it is meant an 
electronic module packaged as a single chip"). 



13. "Overview about attacks on smart cards" (Rankl, 2003) is cited because it speaks to at least 
claims 1 and 9 (see at least page 81, right column, third paragraph: "The simplest defence is to 
calculate the crypto-algorithm in the smart card twice and to compare the two results"). 

14. "AR-SMT: Coarse-Grain Time Redundancy for High Performance General Purpose Processors" 
is cited because it speaks to claims 6-8 (see at least page 9, paragraph 4, particularly: "both 
streams share the same register and memory state"). 

15. Examiner's Note: The Examiner has pointed out particular references contained in the prior art 
of record within the body of this action for the convenience of the Applicant. Although the 
specified citations are representative of the teachings in the art and are applied to the specific 
limitations within the individual claim, other passages and figures may apply. Applicant, in 
preparing the response, should consider fully the entire reference as potentially teaching all or 
part of the claimed invention, as well as the context of the passage as taught by the prior art or 
disclosed by the Examiner. 
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Conclusion 

16. Any inquiry of a general nature or relating to the status of this application or concerning this 
communication or earlier communications from the Examiner should be directed to Erika 
Kretzmer whose telephone number is (571) 270-5554. The Examiner can normally be reached 
Monday through Thursday, 9:30am-6:00pm Eastern Time. If attempts to reach the examiner are 
unsuccessful, the Examiner's supervisor, Tuan Dam can be reached at (571) 272-3695. 

17. Information regarding the status of an application may be obtained from the Patent Application 
Information Retrieval (PAIR) system. Status information for published applications may be 
obtained from either Private PAIR or Public PAIR. Status information for unpublished 
applications is available through Private PAIR only. For more information about the PAIR system, 
see httg://porta j.uspto.gov/extem . Please direct questions on access to the Private 
PAIR system to the Electronic Business Center (EBC) at 866.217.9197 (toll-free). 

18. Any response to this action should be mailed to: 

Commissioner of Patents and Trademarks 
Washington, D.C. 20231 

or faxed to 571-273-8300. Hand delivered responses should be brought to the United States 
Patent and Trademark Office Customer Service Window: 
Randolph Building 
401 Dulany Street 
Alexandria, VA 22314. 

/Erika Kretzmer/ /Tuan Q. Dam/ 

Supervisory Patent Examiner, Art Unit 2192 

Examiner, Art Unit 2192 
August 14, 2009 



